Splunk and the CIS Critical Security Controls

The CIS Critical Security Controls (CSC) are a proven, prioritized list of 20 controls that can be used to minimize security risks to enterprise systems and the critical data they maintain. Splunk software has a unique approach that allows you to easily ingest data related to all 20 controls and apply the logic you need to search, report, alert and correlate data for your security or audit requirements.

Splunk software makes all data in your organization security relevant. In this comprehensive e-book you will learn:

Techniques to simplify, augment and accelerate the adoption of the CIS Top 20 Critical Security Controls in your environment

Email Policy

Effective Date: September 29, 2016

This Privacy Policy explains how we collect, use, and disclose information you provide to us (“Information”), including Personal Information (sometimes called “Personal Data” outside the U.S.), by which we mean information that would allow us to determine your identity when you engage with us. For example, Splunk may receive your Information when you:

Communicate or interact with Splunk on-line or off-line, including for service of Splunk products or services installed on your premises or in the cloud

We refer collectively to these interactions as the “Services”. We explain below how we collect and use the Information you provide and the data created when you use the Services.

Splunk Processes Data for Our Customers. If you submit to us (or to third-parties acting on our behalf) any Personal Information relating to other people in connection with your use of the Services, you represent that you have the authority to do so and to permit us to use the Information in accordance with this Privacy Policy. Because of the nature of the Services, we may operate as a data processor for our customers, who act as data controllers, and will process the Information in accordance with the terms of our customer agreements, including this Privacy Policy. It is our customers’ responsibility to ensure that the Information they provide to us can be legally collected in the country of origin, transmitted to us and maintained or used by us.

Splunk Values. Splunk is committed to uphold the privacy principles articulated in the EU-U.S. Privacy Shield (“Privacy Principles”) to which Splunk has self-certified. This Privacy Policy provides useful information about how Splunk adheres to these Privacy Principles and your rights with respect to them.

What We Collect and How You “Opt-Out”

Data From You or Others. While we (or third-parties acting on our behalf) may collect your Information, including Personal Information, when providing the Services, we also collect it in a variety of other ways, such as through public databases, joint marketing partners, social media platforms, conference hosts, event companies, and other third-parties. If you log in to our Services using your social media login credentials (e.g., Google+), we may receive Information, including Personal Information, as determined by the practices of the applicable social media platform.

Data From the Services (Usage and Analytics Data). We also collect and process usage data when you use our Services (e.g., ingest volume, search concurrency, number of unique user logins, apps loaded, operating system, internet protocol address, source type (count), session duration and other use data) (“Usage Data”) in order to provide, maintain, and improve our Services. (In some products, you may have the option of configuring the administrator settings to opt-out of providing this information automatically.)

In addition, we collect and process anonymized, aggregated data about a group or category of Services, features or users in order to improve the Services (“Analytics Data”). For example, Analytics Data may include anonymized Usage Data, information about the server environment (e.g., OS type/version, CPU type/version, database type/version, disk utilization), information about the devices operating the Services (e.g., browser type/version, OS type/version, device type/version), or such other similar information about user configuration or operation of Service features or functionality.

On devices that enable location-based services, we may receive location information (determined by GPS or other signals), if you consent. (We may use this information to provide personalized location-based services and content. You can restrict our access to your device’s location by adjusting the location-based service preferences on your device.)

How We Use Your Information

Splunk may use Information for various purposes, such as to:

Fulfill your orders or respond to requests you make (e.g., for marketing materials from our website)

Provide, improve and develop the Services, including account changes, billing and payments, customer or support services, or software updates

Issue Splunk accounts for access to online communities

Send administrative information, like product announcements or changes to contract terms or policies

Send marketing communications, like educational materials or information about special offers or upcoming online or offline events, such as SplunkLive

Invite you to participate in various promotional activities, contests, webcasts, sweepstakes, hackathons, usability studies, campaigns, surveys and product tests, and to assess their effectiveness

Research and analyze how our Services are used via cookies, web beacons and other similar technologies to personalize the Services. (For more information about our use of cookies and your choices to opt-out of their use, click here to view our Cookie Policy.)

Diagnose and fix technical issues and monitor the security of our environments

How We Use Analytics Data

We use Analytics Data extensively to help us better understand how our Services are being used, make improvements to them, and develop new features, products and services. For example, we may use this data to:

Better understand how our users configure and use our Services

Determine which configurations or practices optimize performance (e.g., best practices)

Benchmark key performance indictors (“KPIs”)

Perform data analysis and audits

Identify, understand and anticipate performance issues and the environmental factors that affect them

Other such business purposes relating to the operation, improvement, or development of our Services

How Splunk Shares Your Information

Splunk may disclose Information to third parties in the following ways:

Affiliates. We may disclose Information to our affiliates subject to these obligations. Splunk Inc. is the party responsible for the management of jointly-used Personal Information.

Service Providers. We may disclose Information to our third-party service providers, vendors, or others who provide services for Splunk’s business operations. This may include such things as infrastructure, data analysis, order fulfillment, IT services, customer service, professional services or audit services, among others.

Partners and Resellers. We may disclose Information to third-parties, including our strategic partners and resellers to permit them to assess your interest in the Services, conduct user research and surveys, or send you marketing communications, subject to the terms of their privacy policies.

Compliance and Safety. We may disclose Information as necessary or appropriate under applicable laws (including laws outside your country of residence) to: comply with legal process or requirements, including applicable notification obligations; respond to requests from public and government authorities (including public and government authorities outside your country of residence); enforce our terms and conditions; and protect our operations or those of any of our affiliates and our rights, privacy, safety, or property, and/or that of our affiliates, you or others.

Merger, Sale, Etc. We may disclose Information in the event of a proposed or actual reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Splunk business, assets or stock (including in connection with any bankruptcy or similar proceedings).

Other Users. We may disclose Information to other users of the Service in aggregated format, provided it does not include Personal Information. This may include “best practices” tips, KPIs, benchmark data or other such aggregated information useful to the user community.

How We Secure Your Information

Splunk takes reasonable administrative, technical and physical measures to safeguard Personal Information against loss, theft, and unauthorized access, disclosure, alteration, misuse, or destruction. Unfortunately, no data transmission, software, or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please notify us immediately in accordance with the “Contact Splunk” section below. If Splunk learns of a breach of its systems, Splunk may notify you or others consistent with applicable law and as agreed. By using the Services or providing Personal Information to Splunk, you agree that Splunk may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Services and the Information.

How You Can Access and Correct Your Information

We give you choices regarding your access, and our use and disclosure, of your Personal Information for marketing purposes. If you would like to review, correct, or update your Personal Information contact us at: marketingops@Splunk.com. Be sure to indicate in your request what Information you would like to have changed. We will try to comply with your request(s) as soon as reasonably practicable, consistent with applicable law. Note, in some cases we may charge an administrative fee to process marketing access requests.

If you no longer want to receive marketing-related emails from Splunk on a go-forward basis, you may also contact us at the marketing email address above and request that your Personal Information be removed from marketing-related emails.

Splunk Also Observes the Following Practices

Retention Period. We will retain your Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or not prohibited by applicable law.

Use of Services by Minors. The Services are not directed to individuals under the age of thirteen (13) or those not of the age of majority in your jurisdiction, and we request that these individuals do not provide Personal Information through the Services.

Cross-Border Transfers. Your Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers, and by using any of our Services, you consent to the transfer of Information to countries outside of your country of residence, including to the United States, which may have different data protection rules than in your country. It is your responsibility to ensure that the Information you provide to us can be legally transferred to the United States or another country.

EU-U.S. Privacy Shield. As indicated in Splunk’s Privacy Shield Notice (found here), Splunk has certified to the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.

Sensitive Information. You agree to not send us or disclose any sensitive Personal Information (e.g., information related to racial or ethnic origin, political opinions, religion or other beliefs, health, criminal background, or trade union membership) or any protected health information as defined by the Health Insurance Portability and Accountability Act of 1996 (otherwise known as “HIPAA”) Standards for Privacy of Individually Identifiable Health Information, as amended, unless otherwise provided in your written agreements with Splunk.

Links to Other Parties. The Services may contain links to or facilitate access to third-party websites or online services. This Privacy Policy does not address, and Splunk is not responsible for, the privacy, information, or other practices of those third-parties, including any app developer, app provider, social media platform provider, operating system provider, wireless service provider, or device manufacturer. The inclusion of a third-party link within the Services does not imply endorsement of the linked site or service by us or our affiliates. Splunk encourages you to review the privacy policies and learn about the privacy practices of those companies whose websites you choose to visit.

Apps and Other Third-Party Content. The Services may be extendible through the use of software applications that we offer through apps.splunk.com, called apps and add-ons. These extensions are versatile, and have access to a broad set of web technologies that can be used to collect and use your information. Additionally, some Services ship with a fully functional web and application server that can be extended by you or by third-party software. This Privacy Policy does not extend to third-party apps or add-ons (which may also collect your Information) even if packaged by Splunk or offered through a Splunk web property.

Splunk contractually requires third-party app developers to comply with applicable privacy and data protection laws. If third-party app developers collect and transmit information about users of their apps, Splunk contractually requires the developers to provide app users with notice of the collection and use of such data, and to obtain consent from app users before modifying the information, disclosing the information to other entities, or using the information for purposes other than to provide the services offered by the apps. Splunk cannot guarantee that third-party app developers will comply with those requirements. When choosing to use apps, add-ons or other third-party extensions, you are entering into a license agreement with those third-parties. You should familiarize yourself with the privacy policies of the organizations or individuals providing you with software that runs in or with your Splunk product.

Updates to this Privacy Policy. We may change this Privacy Policy from time to time. If we change our Privacy Policy, we will post an updated privacy policy here, and it will become effective as of the date of posting (“Effective Date”). Your use of the Services following these changes means that you accept the revised Privacy Policy.

Your Consent. By using the Services, you agree to and consent to be bound by the terms and conditions of this Privacy Policy.

Contact Splunk.If you have any questions or comments about this Privacy Policy, the information practices of the Services, or your dealings with Splunk, you can contact us at any time:

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.